Thawte is a supplier of digital certificates. I’ve used the company to purchase certificates for code-signing.

Today I received an email inviting me to complete a customer survey. I think it is genuine: if I look at the email headers, the source domain belongs to a marketing company called Responsys which lists Verisign as a customer. Verisign owns Thawte.

I clicked the link to do the survey. Immediately I was asked to give my username and password into a web page owned by Taylor Nelson Sofres plc which is a market research company. Again, looks genuine.

What username and password? Well, I’m presuming it’s the credentials for my Thawte account that are being requested. Either that, or it’s a very broken survey.

I don’t get this. An authentication company sends me an (unsigned) email asking me to hand over my credentials to a third-party marketing company?

Could it be a phishing scam from someone who has hacked into these domains? It’s possible – I’ve emailed Thawte to complain so I may discover if this is the case.

Or just another example of woeful security on the Internet?

Update: just received an email apology from Thawte:

I wanted to reach out and apologize. The partner survey that was sent out to all recipients will be resent later on today with the correct link which will not require you to supply a user name and password.

Agreed, that you should not supply login credentials to a third party website.

Faulty survey, or a hasty change of mind? Let’s assume the former.